Lucene search

K
mageiaGentoo FoundationMGASA-2024-0360
HistoryNov 12, 2024 - 10:53 p.m.

Updated curl packages fix security vulnerability

2024-11-1222:53:59
Gentoo Foundation
advisories.mageia.org
3
curl
hsts
subdomain
cache
expiry
vulnerability
fix
security
update
https
dos

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

AI Score

7.1

Confidence

Low

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain’s cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host. This flaw also affects the curl command line tool. When triggered, this is a potential minor DoS security problem when trying to use HTTPS when that no longer works or a cleartext transmission of data that was otherwise intended to possibly be protected. This update fixes the issue so subdomains cannot affect the HSTS cache of a parent domain.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchcurl< 7.88.1-4.4curl-7.88.1-4.4.mga9

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

AI Score

7.1

Confidence

Low